First ransomware for Macs surfaces and is killed off before causing widespread damage

Are Your Gadgets at Risk for Ransomware?4:13

Some Apple users got hit with a ransomware hack, which is believed the first such attack on Apple products. WSJ's Brian Fitzgerald discusses what to know and how to protect yourself against ransomware attacks. Photo: Getty Images

“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014,” Palo Alto Networks wrote in a blog post.

“As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”

The ransomware attacked OS X via an open source program called Transmission that is used to transfer data via the BitTorrent file sharing network.

“Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4,” Palo Alto Networks wrote.

The ransomware waits for three days before connecting to command-and-control servers over the clandestine Tor network.

After encrypting users’ data, KeRanger demands that victims pay one bitcoin, worth about $400, to a specific address to retrieve their files, according to Palo Alto Networks.

The company reported the ransomware issue to the Transmission Project and Apple the day it was discovered.

Apple confirmed to it has revoked a Mac app development certificate that let KeRanger bypass the tech company’s OS X Gatekeeper protection software.

The tech giant also updated its XProtect antivirus software, which means that no-one can install the affected app.

Palo Alto Networks reports that the Transmission Project has removed the malicious BitTorrent client installers from its website.

The Transmission Project has also urged users to upgrade from Transmission version 2.90. “Everyone running 2.90 on OS should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file,” it said, in a statement on its website, adding that the new version will remove KeRanger.

“The Trojaned BitTorrent client, Transmission, illustrates the chain of trust that end users of all stripes enter into and how it can break down,” he explained.

“This incident appears particularly sophisticated, since it involves a compromise of a software developer’s distribution site and an unrelated and likely stolen signing key.”

However, Beardsley believes that the risk to Transmission users is likely small.

“The fact that the compromise was discovered and mitigated in under a day means that the end users of Transmission are at fairly low risk; victims would have had to have downloaded the malicious disk image (DMG) installer and executed it in a relatively short window,” he said.

The scale of the ransomware threat was highlighted recently when a Los Angeles hospital paid nearly $17,000 in bitcoins to hackers who disabled its computer network.